Cam pe la 05/23/2004 12:59 AM, Mircea MITU scrise: >On Fri, 2004-05-21 at 17:41 +0300, Constantin Gavrilescu wrote: > > >>Mi-am gasit windowsurile din retea pline de virusi si troieni. >> >>Nu cunosc foarte bine cum se face cu troienii, nu m-am ocupat niciodata. >>Ceea ce cunosc este ce-am citit la http://grc.com/dos/grcdos.htm . >> >> > > >In 99% din cazuri, nu au legatura. > >
News about my worms :) Articolul lui Gibson seamana destul de mult cu ceea ce mi s-a intimplat mie acum. Dupa intelegerea mea, unul din calculatoarele infectate tocmai a participat la un Ddos: tcpdump -i eth1: 16:52:33.266641 modem-75.gazelle.dialup.pol.co.uk.1030 > 67.15.17.79.27960: S 446758912:446758912(0) win 16384 16:52:33.266664 modem-76.gazelle.dialup.pol.co.uk.1990 > 67.15.17.79.27960: S 368836608:368836608(0) win 16384 16:52:33.266690 modem-77.gazelle.dialup.pol.co.uk.1114 > 67.15.17.79.27960: S 368312320:368312320(0) win 16384 16:52:33.266718 modem-78.gazelle.dialup.pol.co.uk.1949 > 67.15.17.79.27960: S 1630994432:1630994432(0) win 16384 16:52:33.266743 modem-79.gazelle.dialup.pol.co.uk.1974 > 67.15.17.79.27960: S 1531052032:1531052032(0) win 16384 16:52:33.266773 modem-80.gazelle.dialup.pol.co.uk.1672 > 67.15.17.79.27960: S 1455816704:1455816704(0) win 16384 16:52:33.266798 modem-81.gazelle.dialup.pol.co.uk.1769 > 67.15.17.79.27960: S 1188757504:1188757504(0) win 16384 16:52:33.266826 modem-82.gazelle.dialup.pol.co.uk.1038 > 67.15.17.79.27960: S 1420165120:1420165120(0) win 16384 tcpdump -n -i eth1: 16:54:40.865353 81.145.11.49.1003 > 67.15.17.79.27960: S 563019776:563019776(0) win 16384 16:54:40.865376 81.145.11.50.1674 > 67.15.17.79.27960: S 1814495232:1814495232(0) win 16384 16:54:40.865404 81.145.11.51.1257 > 67.15.17.79.27960: S 1397358592:1397358592(0) win 16384 16:54:40.865433 81.145.11.52.1396 > 67.15.17.79.27960: S 1479344128:1479344128(0) win 16384 16:54:40.865460 81.145.11.53.1735 > 67.15.17.79.27960: S 249167872:249167872(0) win 16384 16:54:40.865490 81.145.11.54.1739 > 67.15.17.79.27960: S 1662320640:1662320640(0) win 16384 Deci, un atac catre 67.15.17.79, cu source ip spoofat. Senderul real l-am identificat dupa mac (tot cu tcpdump). Pe ip-ul atacat nu-l gasesc la ARIN, si traceroute-ul catre el nu duce niciunde. Acest trafic reusea sa blocheze serverul (raspundea cam la 1% din pinguri in retea), avind load-average-uri foarte mari. Iata logurile: /var/log/kernel/info: May 23 16:41:53 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x20/0) May 23 16:41:55 server last message repeated 2594 times May 23 16:41:55 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x20/1) May 23 16:41:55 server last message repeated 80 times May 23 16:41:55 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x20/0) May 23 16:41:55 server last message repeated 121 times May 23 16:41:55 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x20/1) May 23 16:41:55 server last message repeated 126 times May 23 16:41:55 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x20/0) May 23 16:41:55 server last message repeated 459 times May 23 16:41:55 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x20/1) May 23 16:41:55 server last message repeated 240 times May 23 16:41:55 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x20/0) May 23 16:41:56 server last message repeated 799 times /var/log/kernel/errors May 23 15:20:07 server kernel: eth1: Too much work at interrupt, status=0x4050. May 23 15:27:19 server kernel: eth1: Too much work at interrupt, status=0x4050. May 23 15:46:05 server kernel: eth1: Too much work at interrupt, status=0x4050. May 23 15:52:50 server kernel: eth1: Too much work at interrupt, status=0x4050. Placa de retea este un eepro100, care a mers perfect pina acum. -- Ce nu te omoara ti-o intareste. --- Detalii despre listele noastre de mail: http://www.lug.ro/
